Tuesday, January 11, 2011

Applicability of DISA DMZ to Cyber Operations

The Defense Information Systems Agency (DISA) has just announced the creation of a demilitarized zone (DMZ) for unclassified DoD applications. The objective of the DMZ is to control the access and improve security between the public Internet and Unclassified but Sensitive IP Router Network (NIPRNet). Implementation will take about two years. It is supposed to roll out across an estimated 15,000 DoD networks.

In computer security, a DoD DMZ will be an isolated sub-network that will process all intra-enterprise transactions for estimated more than four million client computers before it will expose them to any untrusted networks such as the Internet.

The purpose of the DoD DMZ is to add an additional layer of security to DoD local area networks (LAN) and wide area network (WAN). An external attacker will then have access only to the perimeter defenses of the DMZ. This makes it necessary than none of the DoD 15,000 networks will have any computer ports –whether on client computers or on servers – exposed to access from the Internet with the exception of designated DoD web-based applications. It is expected that the DoD DMZ will deflect almost all of the known attack methods. However, it will still leave to human operators to discover and then to deal with any anomalies that are detected by monitoring software.

With progression and the evolution of cyber attack methods it is likely that there will be shift from software based and automatic detection methods to an increased reliance on human intelligence of the guardians of the DMZ.

Under conditions of a concentrated cyber attack the numbers of transactions that must be processed and then passed through the DoD DMZ can possibly approach ten thousands of events per minute. Therefore the capacity of a DMZ must be designed for handling exceptionally large amounts of peak traffic. On account of the increased complexity of zero-day attacks, this will place a burden on capabilities of the diagnostic methods that will be in place.

The servers most vulnerable to external attacks are those that provide services to users who engage in business outside of their local networks, such as e-mail, web and Domain Name System (DNS) routers. Because of the increased potential of these servers to being compromised, clusters would have to be placed into their own sub-network in order to protect them if an intruder were to succeed in attacking them. Therefore servers within a DMZ will have to be assigned limited connectivity to designated servers within the internal network as an added precaution.

 Communication with other servers within a DMZ may also have to be restricted. This will allow servers within the DMZ to provide services to both the internal and external network, while allowing the DMZ operators to cut off traffic when intervening controls indicate that the traffic between servers within the DMZ or with external networks has been compromised.

Simultaneously with the creation of a DMZ DISA is also implementing a DoD central command center (DCC). The DCC will provide continuous oversight of DISA’s network as well as 13 subordinate regional operations centers. The center will employ a mix of 220 contractors, civilian employees and military personnel. The DCC is expected to be fully operational when DISA moves to Ft. Meade late in 2011.

The construction of a DCC and the creation of a NIPR DMZ are milestone events in the creation of more defensible cyber operations for DoD. These are right moves, in the right direction. They are an indication that under the direction of USCYBERCOM the DISA organization is progressing in support of cyber operations.

It remains to be shown how technically effective will be the new DMZ.  By creating one or more sub-networks that screen incoming and outgoing traffic DISA will be adding delays (latency) to all of its transactions. Transactions will be dropped and will therefore require a positive confirmation for critical messages, which will increase traffic volume.

Current NIPRNET e-mails already show delays, which will surely increase as additional layers of security monitoring are added. If the new DMZ is an add-on to the already existing security methods, the compounding effects are likely to slow down all traffic further.

The DCC or its subordinate points of control will have to deal with requests for access to Internet portals from NIPRNET computers via the DMZ. From an administrative standpoint the maintenance of a directory of permitted access privileges could represent a large workload.

How the new DMZ will deal with SIPRNET communications, which can tolerate lesser latency, is not known. DISA will ultimately have to disclose the technical design of its DMZ and how it will handle peak loads. DISA will have to show how the DMZ will interact with already existing assurance software that is in place on existing networks.

Whether the penultimate Network Control Center (NOC) for DoD, now renamed DCC, can carry out the task of acting as the sentry of last resort for cyber operations remains to be demonstrated. The DCC will have to deal not only with the 13 subordinate regional operations centers that are under the control of DISA, but also with what is a large number of Component NOCs, each functioning under different concepts of operations and deploying different software.

Whether a workforce of only 200 has the capacity of coordinating the designs of multiple Component NOCs while also operating in a high alert mode 24/7 is open to questions. If the DCC is the hub of DoD-wide cyber operations, the presence of contractors is contrary to the objectives of cyber warfare to make it a combat capability of the USA.